Need help preventing PHP code leakage

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
meefozio
Forum Newbie
Posts: 3
Joined: Fri Sep 24, 2010 4:53 pm

Need help preventing PHP code leakage

Post by meefozio »

[NOTE: I previously had this post in the security section but nobody responded to it.]

Hi all,

I've been reading about and implementing many PHP security measures before I launch my site, but I'm not finding a lot of information on preventing PHP code leakage. If you google "facebook code leakage," you get a bunch of matches explaining how their homepage PHP code was displayed for all to see. Most people are saying it is related to mod_php not being available.

If you google "prevent PHP code leak" or variations of that, you don't get a whole lot of useful tactics. A few websites mention using mod_security to prevent code leakage, and another recommends using htaccess to detect if mod_php is available before sending data out.

I'm leaning towards putting the following lines in htaccess, but I'm hesitant because the solution is not widely published:

<ifmodule !mod_php5.c>
<filesmatch ?\.php$?>
Order allow,deny
Deny from all
Allow from none
</filesmatch>
</ifmodule>

So I guess what I want to know is: what is the best or most common way to prevent code leakage?

Thanks,

meefozio
User avatar
yacahuma
Forum Regular
Posts: 870
Joined: Sun Jul 01, 2007 7:11 am

Re: Need help preventing PHP code leakage

Post by yacahuma »

are you asking about a facebook application? There is no way to see php source code if your files ends in .php and you have the interpreter installed correctly.
meefozio
Forum Newbie
Posts: 3
Joined: Fri Sep 24, 2010 4:53 pm

Re: Need help preventing PHP code leakage

Post by meefozio »

No, I'm not asking about a Facebook application. What I was trying to say is that once upon a time, Facebook experienced a problem where its PHP files were being sent out unprocessed for the whole world to see. It apparently can happen when mod_php is unavailable.

I just wanted to know if there is a way to prevent this situation or handle it if it happens to occur on my own website.
User avatar
yacahuma
Forum Regular
Posts: 870
Joined: Sun Jul 01, 2007 7:11 am

Re: Need help preventing PHP code leakage

Post by yacahuma »

anyone can verify this. I never heard of it.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Need help preventing PHP code leakage

Post by califdon »

I am certainly not a security expert, but I don't think you have anything to worry about. I had never heard of "PHP code leakage" either, and when I used your suggestion of searching for the phrase, immediately found a blog discussing an incident involving Facebook in 2007, along with a direct quotation from Facebook:
“A small fraction of the code that displays Facebook web pages was exposed to a small number of users due to a single misconfigured web server that was fixed immediately. It was not a security breach and did not compromise user data in any way.
My conclusion is that if your server is configured properly, there is no risk, especially since it is obviously a very rare event, since there are almost no references to any but this one incident.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Need help preventing PHP code leakage

Post by requinix »

califdon wrote:My conclusion is that if your server is configured properly, there is no risk, especially since it is obviously a very rare event, since there are almost no references to any but this one incident.
That.

"code leakage" only happens if the code does not get interpreted. If it does not then 80%: the server is improperly configured and 20%: a developer dun goofed (eg, used readfile instead of include, named something .inc instead of .php).
meefozio
Forum Newbie
Posts: 3
Joined: Fri Sep 24, 2010 4:53 pm

Re: Need help preventing PHP code leakage

Post by meefozio »

So, in the event that the server is improperly configured or I make some other kind of screw-up, how can I prevent the code from leaking? I do not want to risk the PHP code showing, even if it is a very rare event. Would the following htaccess snippet work?
meefozio wrote:<ifmodule !mod_php5.c>
<filesmatch ?\.php$?>
Order allow,deny
Deny from all
Allow from none
</filesmatch>
</ifmodule>
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Need help preventing PHP code leakage

Post by requinix »

What if PHP is set up as a CGI application?
What if that configuration has a flaw?
There are too many what-ifs for such a tiny risk.

If it would be the end of the world to have some PHP code exposed then don't put it in the webserver's document root.
Post Reply